X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=tls.go;h=51470f37bb802ebe1f45cb10eefe0c1b2d24e74b;hb=e057b4615b830e49508b76f722f1461755aafdda;hp=40395f0c590de89b0b4b516a70ba512897c4c4f5;hpb=0b398c5db588b71a9efc0b2796c3fc002d20d05b;p=godlighty.git

diff --git a/tls.go b/tls.go
index 40395f0..51470f3 100644
--- a/tls.go
+++ b/tls.go
@@ -30,20 +30,49 @@ import (
 var (
 	NextProtos = []string{"h2", "http/1.1"}
 
-	HostToCertificate map[string]*tls.Certificate
-	HostClientAuth    map[string]*x509.CertPool
+	HostToECDSACertificate map[string]*tls.Certificate
+	HostECDSAClientAuth    map[string]*x509.CertPool
+
+	HostToEdDSACertificate map[string]*tls.Certificate
+	HostEdDSAClientAuth    map[string]*x509.CertPool
 
 	HostToGOSTCertificate map[string]*tls.Certificate
 	HostGOSTClientAuth    map[string]*x509.CertPool
 )
 
+func CHIHasTLS13(chi *tls.ClientHelloInfo) bool {
+	for _, v := range chi.SupportedVersions {
+		if v == tls.VersionTLS13 {
+			return true
+		}
+	}
+	return false
+}
+
+func CHIHasEdDSA(chi *tls.ClientHelloInfo) bool {
+	if !CHIHasTLS13(chi) {
+		return false
+	}
+	for _, ss := range chi.SignatureSchemes {
+		if ss == tls.Ed25519 {
+			return true
+		}
+	}
+	return false
+}
+
 func GetCertificate(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	if CHIHasGOST(chi) {
 		if cert := HostToGOSTCertificate[chi.ServerName]; cert != nil {
 			return cert, nil
 		}
 	}
-	cert := HostToCertificate[chi.ServerName]
+	if CHIHasEdDSA(chi) {
+		if cert := HostToEdDSACertificate[chi.ServerName]; cert != nil {
+			return cert, nil
+		}
+	}
+	cert := HostToECDSACertificate[chi.ServerName]
 	if cert == nil {
 		return nil, errors.New("no certificate found")
 	}
@@ -55,8 +84,11 @@ func GetConfigForClient(chi *tls.ClientHelloInfo) (*tls.Config, error) {
 	if CHIHasGOST(chi) {
 		pool = HostGOSTClientAuth[chi.ServerName]
 	}
+	if pool == nil && CHIHasEdDSA(chi) {
+		pool = HostEdDSAClientAuth[chi.ServerName]
+	}
 	if pool == nil {
-		pool = HostClientAuth[chi.ServerName]
+		pool = HostECDSAClientAuth[chi.ServerName]
 	}
 	if pool == nil {
 		return nil, nil
@@ -125,12 +157,15 @@ func loadCertificates(
 }
 
 func LoadCertificates() {
-	HostToCertificate = make(map[string]*tls.Certificate, len(Hosts))
-	HostClientAuth = make(map[string]*x509.CertPool)
+	HostToECDSACertificate = make(map[string]*tls.Certificate, len(Hosts))
+	HostECDSAClientAuth = make(map[string]*x509.CertPool)
+	HostToEdDSACertificate = make(map[string]*tls.Certificate, len(Hosts))
+	HostEdDSAClientAuth = make(map[string]*x509.CertPool)
 	HostToGOSTCertificate = make(map[string]*tls.Certificate, len(Hosts))
 	HostGOSTClientAuth = make(map[string]*x509.CertPool)
 	for host, cfg := range Hosts {
-		loadCertificates(host, cfg.TLS, &HostToCertificate, &HostClientAuth)
+		loadCertificates(host, cfg.ECDSATLS, &HostToECDSACertificate, &HostECDSAClientAuth)
+		loadCertificates(host, cfg.EdDSATLS, &HostToEdDSACertificate, &HostEdDSAClientAuth)
 		loadCertificates(host, cfg.GOSTTLS, &HostToGOSTCertificate, &HostGOSTClientAuth)
 	}
 }